That works for pct of count, but that's not what I'm looking for. Let me show the data it might make more sense.
So the TOP.sh script (*NIX Add-on) runs every 1 minute and returns the processes running and the pctCPU. In our server, we have 44 cores, so you will see process grab 20 or 30 cores at times.
Example:
Time Interval #1
COMMAND pctCPU
processA 103.8%
processB 27.1%
processC 3103.9%
Time Interval #2
COMMAND pctCPU
processA 431.8
processB 89.1
processC 300.9
I wrote a chart search to sum by each process, which combines looks like this:
PieChart
processA 535.6
processB 116.2
processC 3404.8
Splunk creates the piechart and that works fine. It also creates the pie slice percentages. I want this in a statistics table.
So, all I need to do is add a new field to piechart results that totals all of the process percentages together and then divided each process by the total in a new column. Then, return the Process and PCT.
COMMAND pctCPU totalCPU totalPCT
processA 535.6 4056.6 13.2
processB 116.2 4056.6 2.8
processC 3404.8 4056.6 83.9
FINAL
COMMAND totalPCT
processA 13.2
processB 2.8
processC 83.9
I just keep getting a logic error with the syntax above. My subsearch works fine by itself. When I put it in the EVAL, it appears to return a boolean value. The search by itself returns a number.
... View more